Pocket PC Remote Administration

The Pocket PC is a handy device for working with email and calendars, jotting notes, and running myriad portable applications from almost anywhere. Today's Pocket PC, with its increased horsepower and wireless capabilities, can also serve as an IT systems administrator's remote management platform. Let's summarize what's involved in using Pocket PCs for remote administration, then look at eight software products that let you manage your Windows systems and network devices from wherever you can wirelessly connect to the Internet.

Pocket PC Remote Administration
To use a Pocket PC to remotely administer your network, you'll need to prepare your infrastructure by performing tasks such as opening your firewall and installing a management server. Most Pocket PC remote administration products use client/server architectures. In other words, a proprietary client or a Web browser runs on the Pocket PC and communicates with a management server that's on your network. The management server runs the software that makes (or brokers) the connection between the remote client and the management server and issues commands to the servers and network devices that you want to control or manage remotely.

Typically, you don't need to install software on the servers that you want to remotely administer. Remote communication happens only between the Pocket PC and the management server, which makes firewall configuration straightforward. Different products use different protocols—such as HTTP, Secure Sockets Layer (SSL), or proprietary protocols—to communicate between the Pocket PC and the management server. Most products require only an opening in the firewall for communication with the remote Pocket PC. Of the products I look at, Expertcity's GoToMyPC is the lone exception: You need to install a GoToMyPC client on every remotely managed computer. GoToMyPC uses a polling mechanism from a client inside your network to communicate with an external application service provider (ASP) Web application.

Some products encrypt data between the Pocket PC and the management server; others broadcast all data (including logon credentials) in the clear. For additional security, you can load an independent VPN client on your Pocket PC, then create a tunnel between the device and a compatible VPN switch on your network perimeter. In addition to encrypting remote administration traffic, a VPN provides more secure access to your network than does a firewall rule that forwards traffic to an internal server.

Different products also have different requirements for the type of accounts the Pocket PC uses to make remote connections. Some products require you to enter a domain username and password, which the Pocket PC proxies through the management server to the target server, thereby preserving network security. You can then access the remote-system data that your domain account allows. Other products require you to enter a separate set of credentials to log on to the management server. Depending on how the management software has configured remote users, these products then use a privileged domain account that's stored on the management console to let you access target systems and perform specific actions.

Unfortunately, because the remote commands use the domain account that's stored on the management server (instead of the user's actual credentials), the remote actions are logged under that one account. To alleviate this problem, some products let you log all remote administration tasks at the management server before they actually are executed on the server. In addition, for even more security support, many products support two-factor authentication products such as RSA Security's RSA SecurID.

The Pocket PC's data input methods can make systems management difficult. New versions of Microsoft Transcriber are great for taking notes, but trying to quickly scribble a command such as

copy C:\winnt\system32somefile.exe C:\destination

can be difficult and result in error. Keyboard entry is much more accurate but is typically slower. To address this problem, several of the following products offer remote administration shortcuts through clicks, macros, and even basic scripts.

Bandwidth affects the performance of remote administration tools, especially if you're using a wireless LAN (WLAN) connection or much slower cellular-based Pocket PC. I evaluated the products in this article using a Toshiba e755 Pocket PC with integrated 802.11b WLAN capability.

ASG-MobileControl Administrator
ASG Software Solutions' ASG-MobileControl Administrator offers an effective and polished Web-based remote access interface with a familiar Windows-like look and feel. ASG-MobileControl Administrator requires the Windows .NET Framework and Microsoft IIS, and you can access the application using a Web browser. Installation consists of installing the Framework, a Microsoft Data Access Components (MDAC) update, and the MobileControl program files on a management server. The application uses a combination of Windows authentication and a PIN to restrict access to the remotely managed servers.

After you configure computers and users on the server application, you can customize user access. For example, you can let one user manage accounts and another user power-cycle a computer. You need to use the MobileControl management interface to enable and license all remotely managed systems. This task is easy, but you have to add each computer manually.

On your Pocket PC screen, a well-organized menu of commands, which Figure 1 shows, lets you manage computers, print servers, Microsoft SQL Server machines, users and groups, IIS servers, SNMP devices, and power-management features. Each menu selection takes you deeper into the management of that particular object. ASG-MobileControl Administrator speeds navigation by letting you specify favorites for many objects, such as print servers and IIS servers.

In addition to remote-server management functions, ASG-MobileControl Administrator provides several useful tools, including Ping, DNS Lookup, Whois, Telnet, Secure Shell (SSH), Tracert, and command prompts. A menu gives you fast access to common actions by letting you select a computer and an action.

GoToMyPC
The subscription-service–based GoToMyPC, a unique Pocket PC remote administration tool, uses a miniature version of the Windows desktop. The software uses a combination of ASP Web site software and screen resizing to provide the most Windows-like remote PC administration. Whereas other tools create shortcuts and menus to let you perform common tasks, GoToMyPC lets you use your actual Windows desktop to perform tasks. GoToMyPC succeeds where the Pocket PC Terminal Services client falls short because you can resize the screen from a tiny Scale to fit setting to a fairly readable 50 percent or as much as 400 percent. In addition, to accommodate the horizontal aspect ratio of most Pocket PC screens, GoToMyPC lets you rotate the display 90 degrees.

The results are surprisingly good, albeit small. But even at the Scale-to-fit setting, which Figure 2 shows, you can recognize and manipulate the screen elements (although I recommend that you don't try to do so while you're riding a bus; at such a tiny size, a steady hand is a must). Although you can use a stylus to open menus, click icons, and manipulate desktop items, the performance is a bit slow and you might have to repeat some commands. Executing predefined actions of the Pocket PC–specific remote administration applications is typically faster and more efficient than using desktop tools, but I find that having the desktop tools available on my Pocket PC is useful.

GoToMyPC requires an agent on any system that you want to remotely control, but it doesn't require any special firewall configuration because the host computer polls the central GoToMyPC service every 15 seconds. You have to run the GoToMyPC host application to remotely control a server, but you don't have to stay logged on; the application runs as a service. GoToMyPC operates more like Net Meeting than like Windows 2000 Server Terminal Services because you interactively log on and, unless you instruct GoToMyPC to make the screen blank, other people can walk up to the server and see what you're doing.

GoToMyPC

Contact: Expertcity * 805-690-6400Web: http://www.expertcity.comPrice: Pro Plan: $16.95 per server per monthDecision SummaryPros: Includes all desktop toolsCons: Managing a full desktop on a small screen is tricky; managed servers must frequently connect to GoToMyPC site; you must install agent on every managed system

The upside of iAdmin Mobile's minimal functionality is that the application requires a remarkably small 2MB of disk space on the management server. Adding the servers that you want to manage to the iAdmin Mobile console requires a cumbersome, one-server-at-a-time approach, but if you manage only a few servers, this limitation might not be a problem.

To connect from a mobile client, you log on one time at the beginning of a session, then use those credentials to remotely access the managed computers. Your logon credentials, as configured on the management server, determine which computers you can connect to and remotely manage.

iAdmin Mobile lets you perform user and group management tasks such as creating users and local and global groups, deleting users or groups, modifying properties, changing group memberships, and resetting user passwords. In addition, iAdmin Mobile lets you view or manage your Exchange, IIS, and non–Active Directory (AD) integrated DNS servers. (Some functions are limited, however—for example, the Exchange Administration command shows only your Exchange server statistics.) You can use iAdmin Mobile to start or stop a Web site and back up the IIS metabase. The Domain Administration command lists domain attributes, such as the domain password policy and Flexible Single-Master Operation (FSMO) roles. Unfortunately, although the application's command-line functionality lets you fire off commands, you can't display returned data. So, for example, you can start notepad .exe on a remote server, but you won't be able to see the results of the Ipconfig command.

IC2
Inciscent's IC2 provides cross-platform administration of your network. The server runs on Caucho Technology's Resin Web server and uses MySQL for the database back end. The product supports Windows system remote administration through its Windows Management Module (WMM), which uses a series of drill-down menus for navigation. For example, to display a system's event log, you click Network tools, Computers, Connect to Computer, then enter the computer name, your username, password, and domain. Unfortunately, whenever you connect to a different computer or want to use another IC2 tool, you have to reauthenticate. The most recent version of the tool solves this problem for domain accounts by letting you log on once, then connect to any member servers on the domain. This recently added feature makes switching between servers that you want to remotely manage a breeze.

From the client, IC2 displays a relevant list of tools, such as Services, Processes, Local Users, Local Groups, Event Logs, Utilities, File Browser, Installer, Network Adapters, and a command prompt. As Figure 4 shows, the uncluttered interface lets you easily view the status of user accounts. The IC2 client uses an SSH or Telnet client to connect to network devices and supports SNMP to help you monitor SNMP-enabled Windows and non-Windows equipment.

IC2 uses shortcuts to streamline its menus. In the Web-based configuration program, you can drill down (like you do with the client) and assign a shortcut at any level. The shortcut is then available to remote clients, letting administrators simply click the shortcut on their Pocket PCs to access the desired destination.

Network Tools
To install Blueprint Software's Network Tools (Net Tools), you must first install the Remote Service Control (RSC) service on a server that runs the .NET Framework. The RSC service provides the application's server component. After you install RSC, you can load the proprietary Net Tools client software on your Pocket PC and launch the application.

Net Tools' attractive UI lets you manage common system functions. However, Net Tools lacks the security and breadth of functionality of the more expensive products. You can use the RSC server to set up individual users. However, RSC requires that a primary user account with sufficient privileges to execute remote commands remain logged on interactively to the RSC server, and Net Tools executes all users' commands under the primary user's context. For example, when the primary user is logged on to the RSC server as a domain administrator, any Pocket PC user who has a Net Tools username and password can connect to the RSC server and execute commands as a domain administrator. Furthermore, communication between the client and the RSC server—including user credentials—is unencrypted.

You can use Net Tools' Ping and Traceroute commands from your Pocket PC to any destination and store addresses so that you can quickly ping a set of known addresses during troubleshooting. Net Tools also supports Telnet (but not SSH) using a Telnet server that accepts clear-text credentials. You can view services, device drivers, and processes, as Figure 5 shows, as well as start new processes.

The Net Tools menu provides access to the primary Windows-management functions, but the functions aren't as robust as those of the more expensive tools. For example, you can edit only domain user information (not local accounts), and you can disable/enable user accounts, reset user passwords, and add new users, but you can't unlock or edit user accounts or access group memberships. The command-line tool is restricted to batch files and built-in commands such as Dir, Path, and Ver. And you must wrap external utilities such as Ipconfig and Netstat in batch files before you can use Net Tools to run them remotely.

NT Services
For accessing and remotely managing services in which granular security isn't a concern, Backbone Software's NT Services offers nearly all its competitors' features for a fraction of the price. For $69, you can remotely manage services, processes, IIS Web sites, and Terminal Services sessions; view event logs and computer information; and back up IIS settings. In fact, NT Services' management features are equal or superior to those of other products that cost thousands of dollars.

NT Services' focal points are an IIS Web site and a COM+ application (which you have to manually configure, but the instructions are easy to follow). The Web server displays different pages depending on the version of Web client that you use: a small version designed for Microsoft Pocket Internet Explorer (PIE) or a standard version viewable from any Web browser. You don't need a proprietary Pocket PC client.

The included tools give you an overview of a particular function, then let you drill down for more detailed information. For example, click the IIS Sites link that Figure 6 shows, then you can start and stop the service or drill into the site to check permissions and other site settings. You can view information about the processor, memory, network adapters, drive, and installed service packs and patches for any remote computer system that NT Services can access. The software doesn't offer user or group management or a command shell, SSH, or Telnet for executing arbitrary commands.

You have to configure IIS security to protect access to an IIS Web site. By default, the NT Services management Web site is open to anonymous users and isn't encrypted. To manage systems across a domain, NT Services recommends configuring a dedicated account with domain administrator privileges and using that account to execute commands. Larger organizations might shy away from this product in favor of one that supports individual account permissions, but small companies might not mind this shared access.

Expand Beyond Mobile Suite for Microsoft
Expand Beyond Mobile Suite for Microsoft includes three applications: PocketAdmin for Windows, PocketAdmin Console, and PocketDBA. These applications provide a cross-platform remote management solution that supports Windows, database, and SSH/Telnet platforms. The PocketAdmin architecture consists of a client/server installation that includes a mobile client, an Apache Software Foundation Jakarta Tomcat–powered XBanywhere server, and a Windows gateway. You can use the PocketAdmin Console client to connect to an SSH or Telnet server, or you can use the Expand Beyond Mobile Suite to manage your Windows or database systems. Mobile clients connect to the XBanywhere server, which runs on Sun Microsystems Solaris 8 or later; Red Hat Linux 7.3 or later; or Windows Server 2003, Win2K, or Windows NT 4.0 Service Pack 6a (SP6a). The XBanywhere server then connects to a Windows gateway, which communicates directly with the managed servers. You need only one XBanywhere server, but Expand Beyond recommends that you install a Windows gateway in every forest that you want to manage. The Windows gateway requires the Framework and uses IIS.

The PocketAdmin for Windows client provides an AD view of your environment. First, you specify the domain and a computer (by drilling through organizational units—OUs), then select management functions including user and group management, event-log viewing, processes, and services. In contrast to the software's colorful computer-management icons, data is presented in text-based tables, as Figure 7 shows, and isn't quite as clean-looking as the data displays of tools that use proprietary clients.

Well suited to organizations that have many servers, the AD-centric UI provides hierarchical navigation, which makes locating objects in a large list easy, assuming you know where they reside in AD. The program effectively uses a "bread-crumbs" approach to mark your location in the hierarchy, so backtracking through multiple levels is easy.

The software also features a robust shell that leverages an independently installed SSH server. You can use the separate PocketAdmin Console client as a full SSH shell, or you can execute short commands directly from the PocketAdmin for Windows Web client.

sonicadmin
The polished interface of Sonic Mobility's sonicadmin gives you menu-driven access to most common remote administration actions. A full command prompt provides access to your favorite console-based utilities or commands on the server. If you prefer, you can use SSH or Telnet to connect to managed servers. Auditors will appreciate sonicadmin's ability to log remote-access commands and activities.

sonicadmin's proprietary client/server architecture lets it compress and encrypt network traffic without requiring additional configuration. Loading the sonicadmin client on your Pocket PC and connecting to the sonicadmin server require several security steps, such as setting up users and authorizing the mobile device. The server provides the gateway to all your other network servers. You use the sonicadmin management console, which resides on the server, to add roles, mobile devices, and users, as Figure 8 shows, and to enable Windows or SSH and Telnet servers for remote control. Sonicadmin stores configuration information in a Microsoft Access database, which you don't have to configure.

The proprietary client is well designed and easy to navigate. Viewing processes, services, and other data lists is fast and easy. Sonicadmin includes a command-line utility that comes prepopulated with common commands (e.g., Ipconfig, Netstat, Nbtstat, Net Use, Tracert) and lets you enter your own commands.

The Right Tool for You
Each of these tools lets you manage the most common remote administration tasks, such as monitoring and restarting services. True to the adage that you get what you pay for, the more expensive products include enterprise features that might be too costly for some companies. Individuals or small companies might not mind the shared security model of Net Tools or NT Services and will most definitely like its low cost. But the thoughtful and robust features that ASG-MobileControl Administrator or Expand Beyond Mobile Suite for Microsoft provide might be worth the higher price. Most of these products offer full-featured evaluation licenses. Take advantage of them to test-drive products that interest you before you make a purchase.